From the ''Server'' field, we understand that the server is likely Apache, version 1.3.3, running on Linux operating system.

From the ''Server'' field, we understand that the server is likely Apache, version 1.3.3, running on Linux operating system.

−

Three examples of the HTTP response headers are shown below:

+

Four examples of the HTTP response headers are shown below.

From an '''Apache 1.3.23''' server:

From an '''Apache 1.3.23''' server:

Line 54:

Line 54:

Content-Length: 7369

Content-Length: 7369

</pre>

</pre>

+

From a '''Netscape Enterprise 4.1''' server:

From a '''Netscape Enterprise 4.1''' server:

<pre>

<pre>

Line 65:

Line 66:

Connection: close

Connection: close

</pre>

</pre>

+

From a '''SunONE 6.1''' server:

From a '''SunONE 6.1''' server:

<pre>

<pre>

Line 80:

Line 82:

For example we could obtain the following answer:

For example we could obtain the following answer:

<pre>

<pre>

−

403 HTTP/1.1

+

403 HTTP/1.1 Forbidden

−

Forbidden Date: Mon, 16 Jun 2003 02:41: 27 GMT

+

Date: Mon, 16 Jun 2003 02:41: 27 GMT

Server: Unknown-Webserver/1.0

Server: Unknown-Webserver/1.0

Connection: close

Connection: close

−

Content-Type: text/HTML;

+

Content-Type: text/HTML; charset=iso-8859-1

−

charset=iso-8859-1

+

</pre>

</pre>

−

In this case the server field of that response is obfuscated: we cannot know what type of web server is running.

+

In this case, the server field of that response is obfuscated: we cannot know what type of web server is running.

=== Protocol behaviour ===

=== Protocol behaviour ===

−

Refined techniques of testing take in consideration various characteristics of the several web servers available on the market. We will list some methodologies that allow us to deduce the type of web server in use.

+

More refined techniques take in consideration various characteristics of the several web servers available on the market. We will list some methodologies that allow us to deduce the type of web server in use.

'''HTTP header field ordering'''

'''HTTP header field ordering'''

+

The first method consists of observing the ordering of the several headers in the response. Every web server has an inner ordering of the header. We consider the following answers as an example:

The first method consists of observing the ordering of the several headers in the response. Every web server has an inner ordering of the header. We consider the following answers as an example:

Line 154:

Line 156:

Connection: close

Connection: close

</pre>

</pre>

−

We can notice that the ordering of the ''Date'' field and the ''Server'' field differs between Apache, Netscape Enterprise and IIS.

+

We can notice that the ordering of the ''Date'' field and the ''Server'' field differs between Apache, Netscape Enterprise, and IIS.

'''Malformed requests test'''

'''Malformed requests test'''

+

Another useful test to execute involves sending malformed requests or requests of nonexistent pages to the server.

Another useful test to execute involves sending malformed requests or requests of nonexistent pages to the server.

−

We consider the following HTTP response:

+

Consider the following HTTP responses.

Response from '''Apache 1.3.23'''

Response from '''Apache 1.3.23'''

Line 211:

Line 214:

Connection: close

Connection: close

</pre>

</pre>

−

We notice that every server answers in a different way. The answer also differs in the version of the server. An analogous issue comes if we create requests with a non-existent protocol. Consider the following responses:

+

We notice that every server answers in a different way. The answer also differs in the version of the server. Similar observations can be done we create requests with a non-existent protocol. Consider the following responses:

Response from '''Apache 1.3.23'''

Response from '''Apache 1.3.23'''

Line 261:

Line 264:

=== Automated Testing ===

=== Automated Testing ===

−

The tests to carry out testing can be several. A tool that automates these tests is "''httprint''" that allows one, through a signature dictionary, to recognize the type and the version of the web server in use.<br>

+

The tests to carry out in order to accurately fingerprint a web server can be many. Luckily, there are tools that automate these tests. "''httprint''" is one of such tools. httprint has a signature dictionary that allows one to recognize the type and the version of the web server in use.<br>

Brief Summary

Web server fingerprinting is a critical task for the Penetration tester. Knowing the version and type of a running web server allows testers to determine known vulnerabilities and the appropriate exploits to use during testing.

Description of the Issue

There are several different vendors and versions of web servers on the market today. Knowing the type of web server that you are testing significantly helps in the testing process, and will also change the course of the test. This information can be derived by sending the web server specific commands and analyzing the output, as each version of web server software may respond differently to these commands. By knowing how each type of web server responds to specific commands and keeping this information in a web server fingerprint database, a penetration tester can send these commands to the web server, analyze the response, and compare it to the database of known signatures. Please note that it usually takes several different commands to accurately identify the web server, as different versions may react similarly to the same command. Rarely, however, different versions react the same to all HTTP commands. So, by sending several different commands, you increase the accuracy of your guess.

Black Box testing and example

The simplest and most basic form of identifying a Web server is to look at the Server field in the HTTP response header. For our experiments we use netcat.
Consider the following HTTP Request-Response:

However, this testing methodology is not so good. There are several techniques that allow a web site to obfuscate or to modify the server banner string.
For example we could obtain the following answer:

In this case, the server field of that response is obfuscated: we cannot know what type of web server is running.

Protocol behaviour

More refined techniques take in consideration various characteristics of the several web servers available on the market. We will list some methodologies that allow us to deduce the type of web server in use.

HTTP header field ordering

The first method consists of observing the ordering of the several headers in the response. Every web server has an inner ordering of the header. We consider the following answers as an example:

We notice that every server answers in a different way. The answer also differs in the version of the server. Similar observations can be done we create requests with a non-existent protocol. Consider the following responses:

Automated Testing

The tests to carry out in order to accurately fingerprint a web server can be many. Luckily, there are tools that automate these tests. "httprint" is one of such tools. httprint has a signature dictionary that allows one to recognize the type and the version of the web server in use.
An example of running httprint is shown below:

OnLine Testing

An example of on line tool that often delivers a lot of information on target Web Server, is Netcraft. With this tool we can retrieve information about operating system, web server used, Server Uptime, Netblock Owner, history of change related to Web server and O.S.
An example is shown below: